(In reply to Fabian Vogt from comment #4) > Can pam_systemd somehow forward the session keyring to the systemd user > instance it starts? If not, the only option I see is to have separate > session keyrings for systemd user services and other parts of the session. I understand the intent is to use KEY_SPEC_SESSION_KEYRING (not KEY_SPEC_USER_SESSION_KEYRING nor KEY_SPEC_USER_KEYRING). As you wrote this is shared via forking ancestry. A process calling into pam_systemd and the systemd user instance are not generally comparable in this relation, so a "horizontal" passing would be needed. I can see there is only KEYCTL_SESSION_TO_PARENT, which could partly overcome this but it wouldn't work for already forked processes. Another idea (besides Lennart's KEY_SPEC_USER_KEYRING but not very sane) would be to start desktop environment as a systemd user instance service (i.e. DE comparable in ancestry relation with systemd user instance). (While display manager would start a particular user instance target to bring all up. I never saw that except for this related Archlinux attempt [1].) [1] https://wiki.archlinux.org/title/Systemd/User#Xorg_as_a_systemd_user_service